Regardless of the logical protection for a security chip, a skillful attacker can still launch a number of physical attacks to recover or help deduce the key.
In secure chip applications, there are also problems associated with storing program code and keys in internal ROM or Flash memory.
For example, Single bits in a ROM can be overwritten using a laser cutter microscope, to either 1 or 0 depending on the sense of the logic. With a given opcode/operand set, it may be a simple matter for an attacker to change program code from a conditional jump to a non-conditional jump, or perhaps change the destination of a register transfer. If the target instruction is chosen carefully, it may result in the key being revealed. EEPROM/Flash attacks are similar to ROM attacks except that the laser cutter microscope technique can be used to both set and reset individual bits. This gives much greater scope in terms of modification of algorithms.
Instead of trying to read the Flash memory, an attacker may simply set a single bit by use of a laser cutter microscope. Although the attacker doesn't know the previous value, they know the new value. If the chip still works, the bit's original state must be the same as the new state. If the chip doesn't work any longer, the bit's original state must be the logical NOT of the current state. An attacker can perform this attack on each bit of the key and obtain the n-bit key using at most n chips (if the new bit matched the old bit, a new chip is not required for determining the next bit).
In addition, if the chip operation could be directly viewed using an STM or an electron beam, supposedly keys could be recorded as they are read from the internal non-volatile memory and loaded into work registers. These forms of conventional probing would require direct access to the top or front sides of the IC while it is powered.